hack that hijacks Firefox' File Not Found Page

vizitor · Post by **vizitor** » May 6th, 2006, 9:11 am

I am seeing a problem in Firefox 1.5.0.3 where the File Not Found Page has been hijacked by a hack. It displays an add for a website (an x site) instead of the page that would normally display when an unknown or incorrect URL is typed into the address bar - if you typed in nytimes.cim for example instead of nytimes.com.

Has anyone else seen this issue and does anyone know how to fix it short of trying a uninstall and clean install?

Thank you,
Much appreciated.

Guest · Post by **Guest** » May 6th, 2006, 9:27 am

I doubt it's anything serious. Many servers on the web are configured with Custom 404 pages; even mozillaZine:
http://forums.mozillazine.org/errorpage

vizitor · Post by **vizitor** » May 6th, 2006, 9:58 am

Indeed, I know of the custom 404 pages when a deep link is not found, but no matter what site it is that is misspelled in the address bar, I get the same page advertising a porn site. It is defintely an infection in my Firefox installation. Mistyping any website yields the same thing, and there is no way all these site would have servers configured with the same 404 advertising some porn site.

I have unsuccessfully done a full text search of the Firefox folder looking for some of the text in the 404 but to no avail. Please let me know of any other suggestions.

craigevil · Post by **craigevil** » May 6th, 2006, 11:08 am

What spyware scanners have you tried running?

I would suggest installing and running:
1) Windows Defender
2) Spybot Search and Destroy
3) ewido anti-malware http://www.ewido.net/en/
4) "HijackThis" http://www.spywareinfo.com/~merijn/downloads.html

Also check your HOSTS file too make sure nothing strange is listed there.

Check your Firefox user.js and pref.js files for crap that doesn't belong as well.

Might want to do an online scan for malware also.

There are many sites you can scan for malware.
http://www.ewido.net/en/onlinescan/

A great site to help you along is "If Your PC is Infested w/ Spyware..."
http://www.spywarewarrior.com/rogue_ant ... htm#online

Guest · Post by **Guest** » May 7th, 2006, 5:24 pm

I have the exact same problem. My Firefox 1.5.0.3 is showing a porn page when a standard 404 page should show. The problem doesn't happy in IE, which shows the standard 404 page correctly.

Oscar the Prophet · Post by **Oscar the Prophet** » May 7th, 2006, 5:30 pm

Look at your address bar. Doe it have a url?

netfish · Post by **netfish** » May 7th, 2006, 11:01 pm

Oscar the Prophet wrote:Look at your address bar. Doe it have a url?

There is a url. The url that I want to go but is not found. For example, http://w222.3432.com/, which doesn't exist, will go to that "porn" 404 page.

Below is the source of that page.

=====

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<HTML><HEAD><TITLE>AstraDVD dot com - </TITLE>
<META http-equiv=Content-Type content="text/html; charset=windows-1252">
<META http-equiv=KEYWORDS
content="REMOVED">
<META http-equiv=DESCRIPTION
content="REMOVED">
<META
content="REMOVED
<META
content="REMOVED"
name=Description>
</HEAD>
<BODY bgColor=black>
<CENTER>
<TABLE cellSpacing=2 cellPadding=2 align=center border=0>
<TBODY>
<TR>

<TD align=middle width=550 colSpan=3><MAP
name=bc><!-Image map edited by HTML Image Map Editor by Niksa Orlic. Get it at http://www.coma DOT fsb.hr/~norlic/share->
<AREA
onclick=remote=1 shape=RECT coords="21, 5, 488, 299"
href="http://www.asiablue dot com"></MAP><IMG height=300
alt="REMOVED"
src="img/aocentry.jpg" width=500 useMap=#bc border=0></TD></TR>
<TR>
<TD align=middle colSpan=3> 
<a href="http://www.asiablue DOT com">
REMOVED</a> 
 </TD></TR>
<TR>
<TD></TD>

<TD align=middle width=550>REMOVED
<a href="http://www.asiablue DOT com">

Guest · Post by **Guest** » May 7th, 2006, 11:35 pm

sound's like a "fake" mp3 in a download p2p or a wmv file...

Guest · Post by **Guest** » May 7th, 2006, 11:37 pm

also wma file...

netfish · Post by **netfish** » May 8th, 2006, 5:36 am

What do you mean by a "fake" mp3 or wmv file? How can you tell from the "source"?

vizitor · Post by **vizitor** » May 8th, 2006, 8:12 pm

Netfish, Oscar, et al., I get the same AstraDVD website coming up whenever I mistype a URL in the address bar. I have used AdBlock to block the images, but I still think this is a harmful infection of systems that we must determine and prevent. Misdirecting (or redirecting) a browser to a different address can be very dangerous indeed, as you can imagine.

Please note that a workaround I have found in the interim is to determine the URL your browser is being redirected to block that address in your firewall. The firewall I use, Sygate Personal Firewall, has logging that showed me the ip address for this shady page and I have blocked it. I know this is a band-aid, or temporary approach to this problem and does not address the core issue, but I suggest it as a stop-gap while a better solution is sought.

One devious thing about this problem is that when a system is so infecgted, any URL typed into the address bar will remain in place and the AstraDVD (or perhaps some other) prom or other shady site will come up and the typed-in URL will actually remain in place in the address bar as if the URL was a real one with an actual IP address, while this is actually not the case.

I am not sure what the Guest who commented above meant by fake mp3, wma, etc., but I think they only meant to further pollute this forum and the web in general with meaningless, and un-collaborative, un-helpful, and scatalogical stuff. Very unfortunate.

Guest · Post by **Guest** » May 8th, 2006, 9:14 pm

The tojan is basically a buffer overflow exploit. By putting lots of junk in the ID3 tag, it takes advantage of iTunes not checking that the tag falls within proper size limits, so that an undefined state occurs in the program. The rest of the "ID3" tag is then written into memory, where it will cause execution to pass into the rest of the fake mp3 file, causing the virus to run.

There have been similar trojans that hit Windows Media Player and Winamp, they are also patched very quickly, since it is usually a matter of having the player throw out any invalid tags. Once this exploit is patched, attempting to play the file will probably just result in some awful noise to be emitted from the speakers, if anything.

Guest · Post by **Guest** » May 8th, 2006, 9:41 pm

i know peoples who after downloding an mp3/wma/wmv "fake" file, they got trouble with the browser they use (opening such porn page).
That's why i just suggest the "fake mp3" here.
Or did you put "myserachbar" in your firefox (or any donwload search engin) ?
or a MSN thing for msn...
it can be anything.

ps: i do not want to pollute the forum, but help ;-)

Guest · Post by **Guest** » May 8th, 2006, 10:55 pm

So is there a fix for the "fake" music files? How can I remove the "porno" page? This only affects Firefox and not IE!

Guest · Post by **Guest** » May 8th, 2006, 11:35 pm

or affect the default browser...

did you install smiley's from smileycentral?

check the links (the sponsors) "asianblue" is there (contain porn access (sorry)
http://72.14.203.104/search?q=cache:Ckv ... =clnk&cd=2

try grisoft's avg free edition
http://free.grisoft.com